Package: icinga-cgi Version: 1.7.1-1 Severity: important Tags: security
Hi. Being a security nerd I'd actually consider this severity grave but anyway: I stumbled myself accross the subtle black magic behind Apache PCRE match directives just before and reported some documentation improvement ideas upstream (read that for the long details): https://issues.apache.org/bugzilla/show_bug.cgi?id=53483 In apache2.conf example you use: <DirectoryMatch "^(/usr/share/icinga/htdocs|/usr/lib/cgi-bin/icinga|/etc/icinga/stylesheets)"> As far as I can see, this is NOT from the upstream sources right? If so I'd have to report that upstream, too. That pattern is security critical as it also matches directories like: /usr/share/icinga/htdocsMY-SECRET-STUFF /usr/lib/cgi-bin/icinga-never-execute-this Well of course one can always argue, if people do such weird stuff, it's their fault, but we can never know which setups may be reasonable for them. In principle (!) the following should work (note the trailing /): "^(?:/usr/share/icinga/htdocs|/usr/lib/cgi-bin/icinga|/etc/icinga/stylesheets)/" This matches the directories themselves and any subdirs, but NOT dirs starting with these strings. Unfortunately there is still something wrong (which may be a bug in Apache), see: https://issues.apache.org/bugzilla/show_bug.cgi?id=53483#c2 Icinga may be unaffected by this, as we only go in via aliases,... I will try that tomorrow. So please keep the bug open until we could trace everything down :) Cheers, Chris. btw: The ?: in the beginning means, that the subpatterns (the (...) thingys) are not captured, which makes things a bit faster. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
